unofficial mirror of notmuch@notmuchmail.org
 help / color / mirror / code / Atom feed
* nmweb HTML injection
@ 2022-08-22  6:47 Jakub Wilk
  2022-08-22  8:35 ` Michael J Gruber
  2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
  0 siblings, 2 replies; 5+ messages in thread
From: Jakub Wilk @ 2022-08-22  6:47 UTC (permalink / raw)
  To: notmuch

See: https://nmbug.notmuchmail.org/nmweb/search/markup%20where%20appropriate

<code> and <p> from the mail subject was dumped without escaping into HTML.

-- 
Jakub Wilk

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nmweb HTML injection
  2022-08-22  6:47 nmweb HTML injection Jakub Wilk
@ 2022-08-22  8:35 ` Michael J Gruber
  2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
  1 sibling, 0 replies; 5+ messages in thread
From: Michael J Gruber @ 2022-08-22  8:35 UTC (permalink / raw)
  To: Jakub Wilk; +Cc: notmuch

Am Mo., 22. Aug. 2022 um 09:22 Uhr schrieb Jakub Wilk <jwilk@jwilk.net>:
>
> See: https://nmbug.notmuchmail.org/nmweb/search/markup%20where%20appropriate
>
> <code> and <p> from the mail subject was dumped without escaping into HTML.
>

Interesting :)

The body is htmlescape()ed, but the subject header is used as is. I
should be escaped too.

Michael

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] nmweb: escape subject in search view
  2022-08-22  6:47 nmweb HTML injection Jakub Wilk
  2022-08-22  8:35 ` Michael J Gruber
@ 2022-09-05 11:07 ` David Bremner
  2022-09-17  0:50   ` David Bremner
  2022-09-23 23:21   ` David Bremner
  1 sibling, 2 replies; 5+ messages in thread
From: David Bremner @ 2022-09-05 11:07 UTC (permalink / raw)
  To: Jakub Wilk, notmuch

Fix a bug reported by Jakub Wilk [1].

[1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net
---
 devel/notmuch-web/nmweb.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devel/notmuch-web/nmweb.py b/devel/notmuch-web/nmweb.py
index 928e4863..7b555c62 100755
--- a/devel/notmuch-web/nmweb.py
+++ b/devel/notmuch-web/nmweb.py
@@ -131,7 +131,7 @@ env.globals['mailto_addrs'] = mailto_addrs
 def link_msg(msg):
   lnk = quote_plus(msg.messageid.encode('utf8'))
   try:
-    subj = msg.header('Subject')
+    subj = html.escape(msg.header('Subject'))
   except LookupError:
     subj = ""
   out = '<a href="%s/show/%s">%s</a>' % (prefix, lnk, subj)
-- 
2.35.2

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] nmweb: escape subject in search view
  2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
@ 2022-09-17  0:50   ` David Bremner
  2022-09-23 23:21   ` David Bremner
  1 sibling, 0 replies; 5+ messages in thread
From: David Bremner @ 2022-09-17  0:50 UTC (permalink / raw)
  To: Jakub Wilk, notmuch

David Bremner <david@tethera.net> writes:

> Fix a bug reported by Jakub Wilk [1].
>
> [1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net
> ---
>  devel/notmuch-web/nmweb.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/devel/notmuch-web/nmweb.py b/devel/notmuch-web/nmweb.py
> index 928e4863..7b555c62 100755
> --- a/devel/notmuch-web/nmweb.py
> +++ b/devel/notmuch-web/nmweb.py
> @@ -131,7 +131,7 @@ env.globals['mailto_addrs'] = mailto_addrs
>  def link_msg(msg):
>    lnk = quote_plus(msg.messageid.encode('utf8'))
>    try:
> -    subj = msg.header('Subject')
> +    subj = html.escape(msg.header('Subject'))
>    except LookupError:
>      subj = ""
>    out = '<a href="%s/show/%s">%s</a>' % (prefix, lnk, subj)
> -- 
> 2.35.2

I've deployed this patch on nmbug.notmuchmail.org. It seems to do the
right thing, at least for Jakub's original reported message.

d

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] nmweb: escape subject in search view
  2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
  2022-09-17  0:50   ` David Bremner
@ 2022-09-23 23:21   ` David Bremner
  1 sibling, 0 replies; 5+ messages in thread
From: David Bremner @ 2022-09-23 23:21 UTC (permalink / raw)
  To: Jakub Wilk, notmuch

David Bremner <david@tethera.net> writes:

> Fix a bug reported by Jakub Wilk [1].
>
> [1]: id:20220822064717.qftn4tr7cs4r2ian@jwilk.net

applied to master

d

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-09-23 23:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-22  6:47 nmweb HTML injection Jakub Wilk
2022-08-22  8:35 ` Michael J Gruber
2022-09-05 11:07 ` [PATCH] nmweb: escape subject in search view David Bremner
2022-09-17  0:50   ` David Bremner
2022-09-23 23:21   ` David Bremner

Code repositories for project(s) associated with this public inbox

	https://yhetil.org/notmuch.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).